Human error cited as leading contributor to breaches, study shows
"End user failure to follow policies and procedures" and "general carelessness" were cited as the top examples of human error.
Human error accounts for 52 percent of the root cause of security breaches, according to a new study from CompTIA, which surveyed individuals from hundreds of companies in the U.S.
Asked about the top examples of human error, 42 percent of those surveyed cited "end user failure to follow policies and procedures," another 42 percent cited "general carelessness," 31 percent named "failure to get up to speed on new threats," 29 percent named "lack of expertise with websites/applications," and 26 percent cited "IT staff failure to follow policies and procedures."
Despite 52 percent of respondents naming human error as the leading contributor to security breaches, only 30 percent of respondents in the study cited "human error among general staff" as a serious concern, and only 27 percent cited "human error among IT staff" as a serious concern.
“What is particularly troubling is that companies generally rate human error as a lower concern among other security issues [such as malware and hacking],” Seth Robinson, senior director of technology analysis with CompTIA, told SCMagazine.com in a Wednesday email correspondence.
Robinson said, “We believe the main reason for this is uncertainty about how to attack the problem, since traditional security approaches are heavily technology-based.”
Employee training is one way to address the human error issue, Robinson said – however, according to the report, only 54 percent of those surveyed said that their company offers some form of security training.
Of those, 71 percent indicated that "new employee orientation" is offered as a type of security training, 65 percent indicated that an "ongoing security training program" is offered, 50 percent said "random security audits" occur, 46 percent say security policies are physically posted, and 39 percent said an "online course" is offered.
“In addition to training, there are some technology solutions that can help mitigate human error,” Robinson said. “For example, a good [data loss prevention (DLP)] solution can detect whether sensitive data is being sent over email or copied to a USB stick. A determined employee will find ways around this, but this type of monitoring and detection can help minimize innocent mistakes.”
In the report, 58 percent of respondents said that a DLP solution is currently in use in their company. Additionally, 57 percent indicated that their company has adopted an Identity and Access Management (IAM) solution, and 49 percent said their company has adopted a Security Information and Event Management (SIEM) solution.
However, about half of respondents indicated that their company does not have a security policy, or that the organization is still working on a security policy.
“In general, building a policy will lead into risk analysis, where the overall organization can determine which data and systems are in need of the greatest security and which ones can have relaxed security in favor of business benefits,” Robinson said, adding, “Establishing ground rules through a policy and risk analysis can help determine the proper level of investment that must be made in technology and skills.”
Another area that is currently getting more attention is mobile security.
While lost devices were named in the study as the top mobile security issue, the study notes that those types of incidents have actually gone down in recent years. Problems that are on the rise include employees disabling security features, mobile malware, violation of corporate data policies, and mobile phishing attacks.
Some organizations are taking steps to address mobile device issues, the study shows. 45 percent of respondents said their organization has installed tracking/wiping software, 44 percent said passcodes are required on mobile devices, 39 percent said encryption is required on mobile devices, and 32 percent said additional training is offered for mobile security.
“In the early stages of mobility adoption, companies were primarily focused on the devices,” Robinson said. “A lost device was by far the most common form of mobile security incident. As mobile platforms have become a viable target for attackers, companies are realizing that they need a more comprehensive security approach that covers the apps and the data along with the devices.”